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Abstract 



Attempts to find new quantum algorithms that outperform classical computation have fo- 
cused primarily on the nonabelian hidden subgroup problem, which generalizes the central 
problem solved by Shor's factoring algorithm. We suggest an alternative generalization, namely 
to problems of finding hidden nonlinear structures over finite fields. We give examples of two 
such problems that can be solved efficiently by a quantum computer, but not by a classical com- 
puter. We also give some positive results on the quantum query complexity of finding hidden 
nonlinear structures. 

1 Introduction 

One of the major open problems in quantum computation is to develop new quantum algorithms. 
Much of the work on this question has focused on the nonabelian hidden subgroup problem (HSP), 
attempting to extend the quantum solution of the abelian HSP [HJ[T71[T8]. Unfortunately, these 
efforts have met with only limited success. In this paper, we describe an alternative way of gener- 
alizing the success of Shor's algorithm. 

The key to exponential savings in quantum algorithms is the creation of sharp constructive 
interference in large sets. Such precise interference is only known to arise in a few cases, primarily 
in which the set is a group. Under these conditions, the key to quantum speed-up is to diagonalize 
the group algebra, i.e., to perform a Fourier transform. Once this has been done, certain structures 
become easy to detect. 

The structures that have been investigated so far are subgroups and their cosets. In the case of 
abelian groups, the Fourier transform is a mapping from the group to its dual, and this mapping 
respects subgroups and cosets. Advances in quantum algorithms have been pursued by extending 
the groups from abelian to nonabelian, but in the nonabelian case there is no dual group, and the 
same approach is not available. Indeed, certain methods that work in the abelian case are known 
to fail in some nonabelian cases, such as the symmetric group [7tl8lll3|. 

Our approach in this paper is to shift the focus back to the Fourier transform over abelian 
groups, and to consider what other hidden structures can be revealed by abelian Fourier transforms 
via constructive interference effects. We turn for inspiration to optics and acoustics, where light 
or sound can be highly focused (i.e., undergo highly constructive interference) when reflected by 
a conic (e.g., parabolic or elliptic) surface. To connect this idea to known quantum algorithms, 
observe that abelian hidden subgroup problems, when restricted to a vector space, can be viewed 
as determining a hidden linear structure. (Most generally, this viewpoint makes sense for a module 
over any ring, but here we restrict ourselves to vector spaces over finite fields.) Any subgroup of 
the additive group of (q = p m a prime power) is an F g -linear subspace, and the cosets of this 
subgroup consist of parallel afflne subspaces, or flats. Given a black box function that is constant on 
each flat and distinct on different ones, abelian Fourier sampling determines the hidden subspace in 
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time poly (d log </). Pursuing the analogy with wave mechanics, our approach is to set up black box 
functions that are constant on quadratic surfaces, and use interference effects to discover properties 
of the unknown quadratic. More generally, we will study this approach for algebraic sets of higher 
degree. 

The first problem we study is the hidden radius problem. In this problem, the hidden property 
is the radius r of a sphere. We give an efficient quantum algorithm for determining one bit of 
r, namely whether or not it is a quadratic residue, assuming that the dimension is odd. With a 
classical computation, even this restricted problem requires exponentially many queries. (For the 
problem of determining the other bits of r, we argue that the quantum query complexity is small.) 

The second problem we discuss is the hidden flat of centers problem. In this problem, the radius 
of the sphere is fixed (say, at r = 1), but its center is constrained to lie in an unknown flat in FJjj. 
For example, the centers of the spheres may lie on an unknown line. For this problem, we give 
an efficient quantum algorithm to determine the entire hidden flat, not just one bit of information 
about it. However, this algorithm also works only when the dimension is odd. The main idea of 
the algorithm is to use a quantum walk to move amplitude from the spheres to their centers. Our 
algorithms for both this and the hidden radius problem make crucial use of a connection to certain 
exponential sums called twisted Kloosterman sums. 

Both of the above problems fall into a framework of shifted subset problems. For problems in 
this class, the main idea is to define a black box function that is constant on some subset of the 
points in F^, as well as on shifted versions of this subset, with the function taking distinct values 
when the shifts are different. The goal may be either to determine some property of the basic 
subset, or of the allowed shifts, or both. Typically, this will not give a well-defined black box, since 
different shifts of the subset may lead to overlapping points. However, we can resolve this issue by 
defining the black box carefully. 

We also obtain results regarding hidden polynomial structures of higher degree. These results 
are purely information-theoretic (i.e., regard query complexity). We introduce the framework of 
hidden polynomial problems. In these problems, the hidden object is a multivariate polynomial 
h(x) e ¥ q [x\, . . . ,Xd] chosen from some set of possible polynomials. We are given a black box 
function that is constant on the level sets of h(x) (i.e., the sets {x 6 F^ : h(x) = y} for various 
y € Fq) and distinct on different level sets, and the goal is to determine h{x). When h(x) is linear, 
this is the abelian HSP described above, whereas for more general polynomials, it is typically not 
an HSP in any group. (Observe that a hidden polynomial problem, unlike a shifted subset problem, 
is automatically an oracle problem.) 

Assuming the dimension d and the degree of h{x) is constant, we show that the query complexity 
of the hidden polynomial problem is typically poly (log q). We show this by considering an analog 
of the standard approach to the HSP, wherein one query of the black box is used to produce a 
quantum state that depends on the hidden object. Provided these states are sufficiently statistically 
distinguishable, it follows that poly(logg) copies contain enough information to determine the 
hidden object with high probability. To establish distinguishability of the states, we give two 
simple but apparently new results about the fidelity between general quantum states satisfying 
certain intersection conditions, and we show that one of these conditions is satisfied by typical 
polynomials. These lemmas could also have applications to problems involving quantum states 
derived from combinatorial designs that are unrelated to polynomials. 
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2 Hidden radius problem 



We begin by considering the first of two shifted subset problems, the hidden radius problem. In 
the quantum version of the hidden radius problem, our goal is to determine an unknown radius 
r G F q given a uniform superposition over points in on a sphere of radius r whose center is 
chosen uniformly at random. We give an efficient quantum algorithm for determining whether r is 
a quadratic residue, provided d is odd. We also show that the quantum query complexity of finding 
r is poly (log q), again assuming d is odd, and we give evidence that this should also be the case for 
d even. 

For this problem to make sense classically as well as quantumly, we define it in terms of a black 
box function. Roughly speaking, we would like to define a black box function that on input x, 
a point on the sphere of radius r with center t, outputs some encryption of t, thereby giving a 
function that is constant on shifted spheres and distinct on different spheres. But this cannot be 
done directly, since spheres can intersect. To resolve this issue, we note that the vector s = x — t 
pointing to x from the center t uniquely describes a particular sphere. So our black box fx takes as 
input the pair x and an encryption a of s and outputs an encryption of t. We also supply a black 
box /_i that takes as input the pair x and encryption of t and outputs the encryption of s. The 
goal of the problem is to determine r using an oracle that computes either fx or /_i as desired. (In 
Appendix |Aj we give a black-box formulation of general shifted subset problems, which provides 
an alternative oracle for the hidden radius problem.) 

It is straightforward to show that this problem is hard for a classical computer. 

Theorem 1. Any classical computation with access to fx and /_i requires an expected exponential 
number of queries to obtain a 1/ poly(cZlogg) bias for any single bit of information about r. 

Proof sketch. Let the hidden radius r be uniformly random, and let fx(x, cr) be a uniformly random 
one-to-one function of the sphere center t = x—s, where a is the encryption of s. Now we can assume 
without loss of generality that the algorithm is deterministic. Given any sequence of evaluations 
of fx and f-x that do not involve any sphere twice, the conditional distribution on subsequent 
evaluations involving points on other spheres is uniform. The probability of success is therefore 
sub-polynomial so long as the square of the number of queries is less than a polynomial fraction of 
q d . □ 

To solve this problem on a quantum computer, we use the following state generation procedure. 
Begin with a uniform superposition over x and a, then compute fx, then uncompute a using 
and finally discard the function value, giving (up to normalization) 

^2\x,a) ^^2\x,a,fx{x,a)} (1) 

x,a x,a 

-X>,/l(s,<7)) (2) 

x,cr 

i — ^ \S r + t) where t is uniformly random in F^ (3) 

where S r denotes the sphere of radius r centered at the origin, and where we use the convention 
that for a finite set S, \S) := Ylses \s) / y/\S\ denotes the normalized uniform superposition over 
elements of S. In other words, we can use two queries to the oracle to produce the mixed quantum 
state 

Pr ~ — Yl \Sr+t)(S r + t\ (4) 
q te¥ q 
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from which we would like to extract information about the hidden radius r. 

The sphere of radius r centered at the origin is defined by S r := L^ x ^ r , where A(x) := Y^j=i x % 
and where Lf iV := f~ l {y) = {x G X : f{x) = y} denotes the level set of /(x) with value y. The 
quadratic polynomial A(x) can be thought of as measuring the distance from the origin in ¥ d 
(although of course it does not satisfy a triangle inequality); then S r consists of the points at 
distance r from the origin. 

Note that since we are working in a finite field, there is no concept of large spheres or small 
spheres; indeed all spheres contain approximately the same number of points. In particular, the 
number of points on the sphere of radius r is |12^ Theorem 1] 



<r ^ + x((-i) (d ' 1)/2 r)V¥ 



,c2-l 



-1 



d odd, r/0 
d even, r/0 
d odd, r = 
q d-l +x ((_ 1 )rf/2)^_ i)y^d=2 deven,r = 0. 



(5) 



where x denotes the quadratic character of F* . In other words, up to small corrections, every 
sphere has about points on it (except that the sphere of zero radius in two dimensions consists 
of 2q — 1 points when q = 1 mod 4; and is simply a single point, the origin, when q = 3 mod 4). 

Our goal is to determine r using polynomially many copies of the hidden radius state p r . For 
any r, the state is invariant under arbitrary translations in F^. This symmetry can be exploited 
using the d-dimensional Fourier transform over ¥ q , 



U := 



1 



,tr k-x 



\k)(x\ 



(6) 



where to p := e 2m ^ p , k ■ x := Ylj=l ^j x ji an< ^ where tr a := a + a p + • • • + a q ^ p denotes the trace from 
Fg to F p . Fourier transforming the state, we find 



Uprtf = Pr{k\r)\k){k\ with Pr( 



q d \S r 



Etrk-x 
Up 

x£Sr 



(7) 



Since the resulting density matrix is diagonal, we can measure in the Fourier basis without loss of 
information, and all that remains is to infer r from samples of Yi(k\r). 

To understand this distribution, we must understand the Fourier transform of a sphere, which 
is given by [12] 

^<^ = ^(r,A(fc)/4) (8) 

(assuming k ^ 0), where G\ = —( — l) m ^/q when p = 1 mod 4, and G\ = —{—i) m y/q when p = 
3 mod 4, and where we define the ij -twisted Kloosterman sum 



K v (a,b) :=£ 77(c) of 



(9) 



ceF„ 



for a,b £ F g , and for any multiplicative character rj of F 
as the discrete analog of a Bessel function.) 



(This exponential sum can be viewed 
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If the dimension is odd, then we are interested in a x-twisted Kloosterman sum, also known as 
a Salie sum. This has the explicit form [^115] 



K x (a,b) = < 2x(6)Gicos 
,0 




ab = 0, a / or b ^ 
Xipb) = 1 

x(ab) = — 1 or a = b = . 



(10) 



In particular, we see that Pr(A(/c) = 0) is exponentially small, and for A(k) ^ 0, x(A(/c)) deter- 
mines x(r) as follows. For r ^ 0, if x( r A(/c)) = —1, Pr(fc|r) = 0. On the other hand, if r = 0, 
Pr(x(A(/c)) = +1) = Pr(x(A(A;)) = —1) = 1/2 — o(l). This gives a simple quantum algorithm to 
determine x( r )- 

Theorem 2. For d odd, there is an efficient bounded-error quantum algorithm to determine x( r )- 

Proof. The algorithm repeats the following process a constant number of times: Prepare p r , perform 
the Fourier transform, measure a value of k, compute A(k), and discard the result if A(fc) = 0. If 
the results include points with both x(A(/c)) = +1 and x(A(fc)) = —1, output r = 0. Otherwise, 
output the common value of x(A(/c)). A straightforward calculation shows that this algorithm 
succeeds with constant probability. □ 

Ideally, we would like to determine not just x( r )> but rather r itself. While we do not know an 
efficient algorithm, we can at least show that polynomially many queries suffice: 

Theorem 3. For d odd, poly(log(7) queries to the hidden radius oracle suffice to determine r. 

The proof is given in Appendix [Bl 

If the dimension is even, then the distribution Pr(A;|r) depends on the (non-twisted) Kloosterman 
sum 



No closed- form expression for such sums is known. But we do know that in the limit q — > oo, 
the distribution of values of the Kloosterman sum asymptotically approaches the Sato- Tate (semi- 
circle) distribution [HIU], and indeed the convergence to this distribution is rapid [14J. Since 
the Sato- Tate distribution is far from uniform, this shows that the states p r ,p r > are information- 
theoretically distinguishable for typical pairs r ^ r' . We conjecture that in fact arbitrary pairs can 
be distinguished. 

Not only do we not have a closed- form expression for non- twisted Kloosterman sums, but we do 
not even know whether they can be efficiently approximated on a quantum computer. If we could 
approximate these sums, then we could efficiently distinguish distinguishable pairs of radii. The 
problem of approximately computing Kloosterman sums (as well as more general exponential sums) 
on a quantum computer appears to be a natural open problem. Indeed, it will also be relevant to 
the even-dimension case of the problem considered in the following section. 

3 Hidden flat of centers problem 

In this section, we consider a second shifted subset problem, the hidden flat of centers problem. 
In this problem, unlike the hidden radius problem, the spheres are promised to have unit radius. 
Their centers lie on an unknown flat H, and the goal is to determine this flat. For a general black- 
box formulation of shifted subset problems that applies to the hidden flat of centers problem, see 




(11) 
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Appendix [A] With that black box, the classical query complexity of determining H is exponential 
in dlogg. Here we give an efficient quantum algorithm for finding H, provided d = 0(1) is odd. 

Using the quantum oracle for the hidden flat of centers problem, we can produce the quantum 
state 

' ' heH 

Our goal is to determine H by making measurements on this state. We do this by using a quantum 
walk to move amplitude from Si + h to h. If we can move a sufficiently large fraction of the 
amplitude, then we can determine the hidden flat by (classically) solving a noisy linear algebra 
problem. 

To move amplitude from unit spheres to their centers, we will use a continuous-time quantum 
walk on the Winnie Li graph. This graph has vertex set ¥ d , and edges between points x,x' G ¥ d 
with A(x — x') = 1. Thus its adjacency matrix is 

^:=EE \x + s)(x\. (13) 
xew* se<Si 

The continuous-time quantum walk for time t is simply the unitary operator e~ lAt . This unitary 
operator can be efficiently implemented on a quantum computer provided we can efficiently trans- 
form into the eigenbasis of A, and can efficiently compute the eigenvalue corresponding to a given 
eigenvector. 

The adjacency matrix (|13p has eigenvectors 

1 1,\ . \ , ,tr k-x 



for k G Fq, as is clear from translation invariance. Thus we can transform to the eigenbasis of A 
simply using the Fourier transform ([6]). The corresponding eigenvalues are given by the Fourier 
transform of a unit sphere (cf. Section [2]): 

X , = V u) tThx = < k = ° (15) 

xTs! P {GiK(l,A(k)/4)/q otherwise. 

All of these eigenvalues are 0(y/ with the exception of Ao = 0((7 d_1 ). It will be helpful 
to remove the single large eigenvalue, so we will replace A by A := A — Ao|0)(0|. Then we have 
P|| < 1\[q^ =l PI]. 

Lemma 4. Suppose we start with the quantum state U2\) , perform the quantum walk with the 
modified adjacency matrix A for time t = 1/ \J q d ~ l log q, and finally measure in the computational 
basis. Then each point in H occurs with probability |i7| _1 [l/logg + 0(1/ log 3 / 2 q)], and any point 
not on H occurs with probability 0{q~ d ). 

Proof. Consider the evolution of a single sphere \Si+x). Taylor expanding the action of the walk, 
the amplitude at the center x is 

{x\e~ iAt \Si + x) = -it{x\A\Si +x) + 0(\\A\\ 2 t 2 ) (16) 



-it^sTHl-Oiq-^+OiWAft 2 ), (17) 
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so 

\{x\e- iAt \S x + x)\ 2 = -L + 0(log- 3 / 2 g) . (18) 
logg 

Averaging over x £ H gives the first part of the lemma. 

It remains to show that the background is nearly uniform. To see this, note that e~ lAt leaves 
invariant the subspace span{|x), |<So + x), \Si + x), . . . , |<S 9 -i + x)} (which contains the state |0)), 
since A\x) = -\/\Si\ \S\ + x) and 

A\S r + x) = — L= Yl \s + s' + x) = — =L= \Si nS r + y-x\ \y) . (19) 
V 1^1 seSrs'eS! V \ s r\ y& d 

Here the coefficient of y depends only on A(y — x) (with y = x a special case distinct from 
A(y — x) = 0) by the fact that the orthogonal group over F^ acts transitively on nonzero points 
of fixed norm (as a consequence of Witt's Lemma [2]). Thus the evolved state e~ lAt \S\ + x) is 
spherically symmetric about x. 

Now consider making a measurement on \S r + x) for some r G ¥ q : each point on S r + x 
occurs with probability l/|5 r |. Averaging over x G H, we see that the point y G F^ occurs with 
probability \{x G H : y E S r + a?}|/(|5 r | • \H\). Since |<S r | = e^" 1 ), |J5T| = q di ™ H , and the 
numerator is \H n (5i + y)| = 0(g dim ^ _1 ), the probability of seeing any y G FJ^ is 0(q~ d ). Thus 
the piece of e _jA *|5i + x) orthogonal to when averaged over x G H, contributes probability 
0(q~ d ) to every point y G F^. □ 

Now we show how to reconstruct the flat H using samples from this distribution. A priori, 
dimil is unknown, so we iteratively try increasing values of dimH until the following procedure 
identifies H. 

Let d! = dimH + 1, so that d! points in affine general position are sufficient to determine H. 
Suppose we sample k = poly(logg) points, so that with high probability the number of points in 
H is at least Ad! . The following lemma shows that with high probability the fc-sample does not 
intersect any flat H' other than H, of the same dimension as H, in more than Ad! points. Thus the 
flat H can be computed by exhaustively trying all ( 4 ^,) = poly(logg) subsets of the sample points. 

Lemma 5. Suppose we sample k points independently and identically with the following dis- 
tribution: the point is uniformly random in H with probability at least 1/ poly (log q), and any 
point not in H has probability at most c/q d for some constant c. Then Pr[3H' ^ H,dimH' = 

dimH, with > Ad' points from the k-sample] < 0((j/) )(c/q) d ' . 

Proof sketch. For this event to occur, either 2d' points must fall in H' n H or 2d' points must fall 
in H' — H. We bound the probabilities of each of these events by similar arguments. 

Consider the first of these events. Let s\, . . . , S2d> be the first 2d' points of the fc-sample that fall 
in H'nH. Since Pr[dimaffspan{si, . . . , S2d'} < d' — 2} < (l + 0(l/q)) Pr[dimaffspan{si, . . . , S2d'} < 
d' — 2 anddimaffspanjsi, . . . , Srf'} = dimaffspanjsi, . . . , S2d'}] (where affspan denotes the affine 
span of a set of points), it is sufficient to bound the probability of the latter event. For each of the 
(^,) subsets s±, . . . ,Sd> within the fc-sample, the probability of this event is bounded by the number 
of ways of choosing the remaining d' points out of k, times the probability that all remaining d! 
points fall in affspanjsi, . . . , Sd'}- Overall the probability of this event is bounded by (^,) (l/q) d ' . 

The case of H' — H is similar; the only change is that because we have less control over the 
probabilities with which points are selected, the final bound is Q,) (c/q) d ' . □ 

Overall, we have shown 
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Theorem 6. Suppose d = O(l) is odd. Then there is a quantum algorithm to determine the hidden 
flat of centers in time poly(logg). 

Note that we could use the same algorithm for d even, provided we could efficiently approximate 
the eigenvalues of A by approximately calculating (non-twisted) Kloosterman sums. 

4 Hidden polynomial problems 

In this section, we prove some general results on the distinguishability of black box functions, 
and then use these results to show that the quantum query complexity of the hidden polynomial 
problem (defined in Section I4.2j) is typically polynomial. 

4.1 Distinguishability of states with given intersection properties 

Consider a black box function / : X — > Y where X, Y are finite sets. Any such function can be 
encoded in a quantum state using an approach analogous to the so-called standard method for 
the hidden subgroup problem. In this approach, we begin with a uniform superposition over the 
input space, compute the black box function in an auxiliary register, and then discard that register, 
giving (up to normalization) 

x<=X x£X x<=X 

i — > \Lf y ) where y G Y occurs with probability |L^ !3/ |/|X| . (21) 

(Recall that L^ y := f~ l {y) = {x £ X : f(x) = y} denotes the level set of f(x) with value y.) In 
other words, this procedure uses one query of the black box to produce the mixed quantum state 

w-E^rlW^I- (22) 

y eY 1 1 

Suppose that / is chosen from a set T of possible black box functions (where log jj^l = 
poly (log |-X"|)), and we would like to determine which one we have. Then we can create t = 
poly (log |X|) copies of the state (|22p. p®', and perform a quantum measurement to attempt to 
determine /. If some such measurement succeeds with high probability, then the query complex- 
ity of the problem is polynomial. For some measurement to succeed, it suffices to show that the 
single-copy states are pairwise distinguishable, as measured by the quantum fidelity 

F(p,f/):=tr\y/py/S\. (23) 

This follows from a result of Barnum and Knill [3] : 

Theorem 7. Suppose p is drawn from an ensemble {pi, . . . ,pn}> where each p/, occurs with some 
fixed prior probability. Then there exists a quantum measurement that returns the outcome k with 
probability at least 1 — iV max^j F(pi, pj). 

(In fact, by the minimax theorem, this result holds even without assuming a prior distribution for 
the ensemble [9].) In particular, since 

F(p& }f /&) = F(p,p'Y, arbitrarily small error probability 
e > can be achieved using I > [~2(log./V — loge)/log(l/ maxj^-y F(pi, Pj))~\ , so t = poly(logiV) 
copies suffice provided the maximum fidelity is bounded away from 1 by at least 1/ poly (log N). 
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Such an argument has been used to show that the query complexity of the hidden subgroup problem 
is polynomial [5]; here we give analogous results for the hidden polynomial problem. 

We begin by giving two bounds on the pairwise fidelity in terms of the intersection properties 
of the functions. 

Lemma 8. Suppose Pr y „/ g y [\Lf y H Lp y '\ > a] < /3, and \Lf y \ < 5 for all y G Y . Then 

F{ Pf , Pfl ) 2 <{a 2 + (i5 2 )\Y\^\x\ 2 . 

Proof. By the Cauchy-Schwartz inequality applied to the singular values of ^fpf^/Pp (whose rank 
is clearly at most |Y|), 

F(p f ,p f ,) 2 < \Y\ixpfp f , (24) 
= W]2 E \ L f,v^ L f,y'\^ (25) 

y,y'eY 

and the claim follows from the assumptions. □ 

Lemma 9. Suppose Pr ye y [|Lj- iy n Lp >y i\ > a] < f3 for all y' G Y, and 7 < \L^ y \ < 5 for all y. 
Then F(p f ,p f ,) 2 < a\Y\ 2 /j\X\ '+ /35\Y\/\X\. 

Proof. Let H p denote the projector onto the support of p. By considering the POVM with elements 
lip, 1 — Hp and noting that the classical fidelity of the resulting distribution is an upper bound on 
the quantum fidelity, we have F(p,p') < -y/tr H p p'. Thus 

1 1 y,y'eY 1 f ' yl 

a\Y\ 2 1 ^ (Ey'ey\ L Ly nL f',y'\) 
S jyl + I y| 2^ I r, , I 



bad 



all'l 2 



where Ibad := {y G ^ : \Ff,y D Lp y'\ > « for some y' G K}. Then the claim follows from the 
assumptions. □ 



4.2 Distinguishability of hidden polynomial states 

Now we specialize to the hidden polynomial problem. Let h(x) G ¥ q [x\, . . . , xj] be a polynomial in d 
variables over ¥ q of total degree deg h = O(l). This polynomial is hidden by a function / : X — » Y" 
where X = and \Y\ > g, which is simply /i composed with an arbitrary injective function from 
¥ q to Y. In particular, the level sets of / are isomorphic to the level sets of h. It is important 
that the black box hiding function / is not simply the hidden polynomial h, so that the problem 
of reconstructing h from queries to / will be hard for a classical computer. However, pf = ph by 
the isomorphism of the level sets, so it is sufficient to calculate the fidelity between the states as if 
the hiding functions were in fact the polynomials. 

We begin by specializing Lemmas [8] and [9] to the case of hidden polynomial states. Here and in 
what follows, the number of variables and the degrees of polynomials are considered bounded; the 
notation o(l) is with respect to the limit q — > 00. 
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Corollary 10. Let d>2, and suppose Pr^gf [h(x) — y and h'(x) — y' have a common factor] = 
o(q' 1 ). Then F(p h ,p h t) = o(l). 

Proof. By Lemma 4.3.3 of |16j . provided h and h! do not share a common factor, l-L^o D £/i',o| < 
q d ~ 2 deg h deg h! minjdeg h, deg h'}; thus we can take a = 0(q d ~ 2 ) with = o{q~ 1 ). By the 
Schwartz-Zippel Lemma (Lemma 3.3.1 in [16]), \Lh,o\ < (l d l degh; thus we can take 5 = 0(q d ^ 1 ). 
Then the result follows from Lemma □ 

Corollary 11. Let d > 2, and suppose Piy^ q [h(x) — y not absolutely irreducible] = o(l). Then 
for all h! with degh' < degh (other than multiples of h), F(pi l ,pi l i) = o(l). 

Proof. Since h is irreducible, it cannot share a common factor with h', so we can take a = 0(q d ~ 2 ) 
with (3 = o(l). By Lemma 5.5.1 of [16], provided h is absolutely irreducible, l-L^ol = q d ~ l [l + 
0(g -1 / 2 )], so we can take 7 = f2(g d_1 ) and 5 = 0(q d ^ 1 ). Then the result follows from LemmaO □ 

Finally, we show that almost all polynomials satisfy the conditions of Corollary II 1\ which implies 
that the query complexity of typical hidden polynomial problems is poly (log q). 

Theorem 12. Fix d > 2 and t > 1. Then for a fraction 1 — o(l) of the polynomials h in 
F g [xi, . . . ,Xd] of total degree t, for all h' with degh' < t (other than multiples of h), F(ph,ph') = 
o(l)- 

Proof. We show that the fraction of polynomials that are not absolutely irreducible is 0(1/ q). Then 
the theorem follows by application of Corollary [IT] and Markov's inequality. 

The main idea is to count nontrivial factorizations of h. Let ¥ q (d;t) denote the set of d-variate 
polynomials over ¥ q of total degree t. If t = 1 then we know the states are distinguishable (since 
they are abelian hidden subgroup states), so we can assume t > 2. It is convenient to discuss 
F g -projectivized polynomials, i.e., equivalence classes with respect to multiplication by nonzero 
elements in ¥ q ; denote these by ¥¥ q (d;t). 

The number of Fq-degrees of freedom of ¥¥ q (d; t) (i.e., the number of elements of ¥ q required 
to specify a member of F¥ q (d;t)) is ( d ^ t ) — 1- The number of F g -degrees of freedom of PF k(d;t) 
(the set of F fc-projectivized polynomials with coefficients in F k) is — l)- Now we rely on 

the following fact: Let h £ ¥¥ q (d;t). Then there is a (unique) factorization h = h\ - ■ - hi (for some 
i > 1) with each hi G ¥¥ q (d;t), and of the following special form: In the (unique) factorization 
hi = ■ ■ ■ rjifc of hi over the algebraic closure of ¥ q , for every j, the smallest field containing the 
coefficients of rjij is ¥ q k i , and the Frobenius automorphism c 1— ► c q , acting on coefficients, cyclically 
permutes the set {77^1, . . . , r/^^}. (In particular, for any fixed i, the rji j are all distinct.) Most 
importantly, r]i 1 determines all the rji j, so the number of F g -degrees of freedom of hi (of degree ti) 
is 1 1). 

There are at most t possible values for £; we bound the number of factorizations by treating 
£ > 1 and i = 1 separately. 

The number of F g -degrees of freedom for the factorizations of h with £ > 1 is upper bounded 
by maxi< 4 / <t [(^ ) + ) — ^\ ' ^ sumces to show that this is < ( rf ^*) — 2, hence strictly less 

than ( rf ^*) — 1, the number of F q -degrees of freedom of ¥¥ q (d; t). Fix an ordered set of size d + t. It 
has ( rf ^*) subsets of size d, ( rf "jj* ) subsets of size d which avoid the last t — t' elements, and ) 
subsets of size d which avoid the first t' elements. The latter two collections have just one common 
element, so we need only note that for t > 2, there is at least one subset of size d which is in neither 
collection. 
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The number of F g -degrees of freedom for the factorizations with t = 1 is, by the earlier discus- 
sion, maxfc>i [k(( d+ ^ k ) — 1)1 . We again need to show that this is < — 2. Fix a set of size 
d + t, and partition it into So of size d and B±, . . . , each of size i/fc. For any 1 < i < A;, the 
quantity ) — 1 counts the subsets of size d which are contained in Bq U Bi but which are not 
equal to Bq. These are disjoint subsets. None of them includes Bq; and because t > 2, they also 
miss at least one other subset of size d, which intersects more than one of B±, . . . ,Bk- Hence the 
desired inequality follows. □ 
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A General formulation of shifted subset problems 



In Section [21 we explained one way to formulate the hidden radius problem as a black box problem. 
In this appendix, we give an alternative definition that applies to general shifted subset problems. 
(It is also possible to give a general definition along the lines of Section [21 but such a definition 
requires certain intersection properties not required here.) 

An instance of a shifted subset problem over X := is specified by a subset of points S and a 
set of shifts T. The problem is to determine some property of S or T (or both) using a black box 
that hides the shifted subsets S + t for t £ T. 

To obfuscate the meanings of the shifts, we introduce a bijection r : T —* T. Furthermore, to 
obfuscate the meanings of the points in the subsets, we introduce a bijection at : S — > S for each 
t £ T. The black-box function tt : S x T — > X defined as tt(s, t) := r(t) + o~t(s) turns an input (s, t), 
representing an encryption of a point in the space associated with a particular shifted subset, into 
an explicit point x £ X. We associate each encrypted shift t £ T with a black-box function value 
f(t), where / : T — > Y is an injection into an arbitrary finite set Y. Finally, to allow erasing the 
encrypted inputs (s,i), we introduce the function g : X x Y ^ (S x T) U {0} defined as 

j(s,t) 3s £ S,t £ T : n(s,t) = x and f(t) = y 
g(x,y):=\ . (29) 

I otherwise . 

The oracle allows us to compute tt, /, or g as desired. 
Just as in Theorem [H we have 

Theorem 13. Any classical computation with access to tt, f , and g requires an expected exponential 
number of queries to obtain a 1/ poly (d log q) bias for any single bit of information about S or T. 

The proof proceeds along the same lines as before. 

However, on a quantum computer, we can prepare quantum states that encode S and T. We 
begin with a uniform superposition over the encrypted inputs (s,i), compute the point x = n(s,t), 
compute /(£), uncompute the original inputs, and finally discard the function value. This procedure 
results in the state (up to normalization) 



Yl l^>^ 2 tt(s, *)> (30) 

ses,ter s eS,teT 

^ Y \s,t,w(s,t),f(t)) (31) 

s£S,t£T 

^ ^ Hs,t),f(t)} (32) 

i— > \S + t) where t is uniformly random in T . (33) 
In other words, we have prepared the shifted subset state 

Note that we may allow the possible sets S to have different sizes, and similarly for the possible 
sets T. For example, we see from ([5]) that spheres of nonzero radius have two different sizes in odd 
dimensions. In such cases the black box functions can be expanded to include a symbol that 
is returned if the input is invalid. The above procedure can still be used provided the probability 
that the measurement returns the outcome is small. 
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B Query complexity of the HRP in odd dimensions 



Proof of Theorem The distribution of k is given by 



Pr(fc|r) 



q\S r 



\S r \ 2 /q d - 1 k = 

1 rA(fc) = 0, r / or A (A;) / with fc ^ 

4 cos (27rtr y/rA(k)/p) x(rA(k)) = 1 

x(rA(&)) = -1 or r = A (A;) = with fe ^ . 



(35) 



Now consider a pair of distinct radii r, r' . We have already described an efficient algorithm to 
determine x( r ) (and in particular, to decide whether x( r ) = 0)) so we can assume r,r' ^ 0. If 
x( r ) 7^ x( r ')> then the distributions they induce have nearly disjoint support, and their total 
variation distance is 1 — o(l). Otherwise, we can rescale the spheres and the measured values 
of A (A;) so that we are effectively distinguishing radius 1 from some arbitrary radius r / 1 with 
x( r ) = 1- The minimum total variation distance between the resulting distributions is 



min — 

X(s)=l 



X (r)=l 



COS 



2-7T tr 2 tr ^frs 



p 



COS 



2 ^ 
mm — y 



2 27rtrs 
cos cos 



P 

2 27rtr rs 



mm 



reF*\{±l} Q 



2 v ^ 1 



cos ■ 



> 



2 x 1 

min — 



reF 9 x \{±l} q 



^ A 



P 

Att tr s 
P 

Att tr s 



7^ 

47rtr rs 



cos ■ 



P 

47rtr rs 



cos ■ 



cos ■ 



min — 

r6F,*\{±l) 9 ^ 



COS 



p 

2 47T tr s 

p 



p 



Air tr s Att tr rs 
cos cos 



p 



P 



cos 



2 Att tr s 
P 



(36) 
(37) 
(38) 
(39) 
(40) 
(41) 



Since an arbitrary pair of radii are statistically distinguishable with constant total variation dis- 
tance, poly(log q) samples are information-theoretically sufficient to identify an arbitrary radius. □ 

Note that the distribution (|35j) in the case x( r A(A;)) = 1 resembles the distribution induced by 
a well-known single-register measurement for the dihedral hidden subgroup problem [6], which has 
resisted attempts at efficient postprocessing. 
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